Path traversal in rclone - CVE-2026-59733

 

Path traversal in rclone - CVE-2026-59733

Published: July 9, 2026


Vulnerability identifier: #VU137262
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-59733
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: rclone.org
Affected software:
rclone

Detailed vulnerability description

The vulnerability allows a remote user to read, overwrite, and delete other users' repositories.

The vulnerability exists due to path traversal in the rclone serve restic private repository path handling when processing crafted URL paths containing ".." segments. A remote user can send a specially crafted HTTP request to read, overwrite, and delete other users' repositories.

Exploitation requires valid HTTP Basic credentials for the attacker's own private repository, the server must be running with serve restic --private-repos, and impact depends on a backend that resolves object paths with POSIX-style path cleaning semantics.


How to mitigate CVE-2026-59733

Install security update from vendor's website.

Sources